BLFS Security Advisories for BLFS 10.0 and the current development books.
BLFS-10.0 was released on 2020-09-01
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the released books.
In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.
BIND
10.0 093 BIND Date: 2021-02-18 Updated: 2021-02-22 Severity: High
A security vulnerability was found in BIND that could result in a crash or potentially remote code execution if the server uses GSSAPI/SPNEGO. Apply the sed in the page linked in the advisory and rebuild BIND. 10.0-093
10.0 005 BIND Date: 2020-09-05 Severity: High
A variety of vulnerabilities were found in BIND. Most could cause a crash but one allows privilege escalation by someone with authority to change a subset of the zone's content. Update to BIND-9.6.16 or later. 10.0-005
Brotli
10.0 006 Brotli Date: 2020-09-06 Severity: Medium
An integer oveflow in brotli before version 1.0.9 can lead to a crash. Update to brotli-1.0.9 or later 10.0-006
C-Ares
10.0 039 C-Ares Date: 2020-11-19 Severity: High
An application using C-Ares versions from 1.16.0 to 1.17.0 allows an attacker to trigger a Denial Of Service by getting the application to resolve a DNS record with an unexpectedly larger number of responses. Update to C-Ares-1.17.1 or later. 10.0-039
CIFS-utils
10.0 004 CIFS-utils Date: 2020-09-05 Severity: High
The mount.cifs program was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. An attacker able to invoke mount.cifs with special permission, such as via sudo rules, could use this flaw to escalate their privileges. Update to cifs-utils-6.11 or later. 10.0-004
Cryptsetup
10.0 008 Cryptsetup Date: 2020-09-06 Severity: High
An out of bounds memory write was discovered in Cryptsetup. Note that this only affects 32-bit builds of cryptsetup. To fix this, update to at least cryptsetup-2.3.4. 10.0-008
cURL
10.0 050 cURL Date: 2020-12-11 Severity: High
cURL before version 7.74.0 has two vulnerabilities rated as High, an uncontrolled recursion and an improper check for certificate revocation, as well as one rated as Low. To fix these, update to curl-7.74.0 or later. 10.0-050
Dovecot
10.0 060 Dovecot Date: 2021-01-04 Severity: Medium
In Dovecot before version 2.3.13, if the IMAP hibernation has been enabled (it is off by default) an attacker can access other user's emails and filesystem information. Fix this by updating to dovecot-2.3.13 or later. A workaround is to disable imap hibernation: To do that ensure imap_hibernate_timeout is either set to 0 or unset. 10.0-060
ffmpeg
10.0 098 ffmpeg Date: 2021-02-23 Severity: Medium
ffmpeg-4.3.2 fixed two medium-severity arbitrary code execution vulnerabilities that could occur when processing crafted media files. Update to ffmpeg-4.3.2 or later. 10.0-098
Firefox
10.0 099 Firefox Date: 2021-02-24 Severity: High
In firefox 78.8.0 three vulnerabilities rated as High were fixed. Update to firefox-78.8.0 or later. 10.0-099
10.0 081 Firefox UpDated: 2021-02-07 Severity: None
In firefox before 78.7.1 a vulnerability in the Angle graphics library was rated as Critical and a CVE was requested. It has now been clarified that this only affected Windows operating systems.
10.0 071 Firefox Date: 2021-01-26 Severity: High
In firefox 78.7.0 several vulnerabilities rated as High were fixed. Update to firefox-78.7.0 or later. 10.0-071
10.0 063 Firefox Date: 2021-01-06 Severity: Critical
In firefox before 78.6.1 a malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. Update to firefox-78.6.1 or later. 10.0-063
10.0 053 Firefox Date: 2020-12-15 Severity: Critical
Several vulnerabilities were found in firefox before 78.6.0, of which one was rated as critical. Update to firefox-78.6.0 or later. 10.0-053
10.0 036 Firefox Date: 2020-11-16 Severity: High
Several vulnerabilities were found in firefox before 78.5.0, of which two were rated as high. Update to firefox-78.5.0 or later. 10.0-036
10.0 030 Firefox Date: 2020-11-09 Severity: Critical
An exploitable use-after-free was found in firefox before 78.4.1. Update to firefox-78.4.1 or later. 10.0-030
10.0 014 Firefox Date: 2020-09-21 Severity: High
Four vulnerabilities including a memory safety bug rated as High were fixed in firefox-78.3.0. Update to firefox-78.3.0 or later. 10.0-014
Flac
10.0 102 Flac Date: 2021-04-25 Severity: Medium
An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file. 10.0-102.
FreeType
10.0 024 FreeType Date: 2020-10-20 Severity: High
In FreeType from 2.6 to 2.10.3 there was a vulnerability in handling embedded PNG bitmaps which was being actively exploited. 10.0-024
Gdk-Pixbuf
10.0 049 Gdk-Pixbuf Date: 2020-12-08 Severity: Medium
Gdk-Pixbuf before version 2.42.2 is vulnerable to a Denial of Service (infinite loop) which can, for example, be triggered using a crafted GIF image with LZW compression. To fix this, update to gdk-pixbuf-2.42.2 or later. 10.0-049
Glib
10.0 079 Glib Date: 2021-02-04 Severity: High
Glib before 2.66.6 was vulnerable to integer truncation leading to potentially exploitable heap-overflow vulnerabilities. The issue was raised in a public report, so this is now classed as a zero-day vulnerability requiring urgent update to Glib-2.66.1 or later. 10.0-079
10.0 018 Glib Date: 2020-10-05 Severity: Medium
Glib before 2.66.1 had incorrect scope/zone ID parsing of URIs. Update to Glib-2.66.1 or later. 10.0-018
GnuPG
10.0 007 GnuPG Date: 2020-09-06 Severity: Critical
A critical security bug was dicovered in GnuPG 2.2.21 as shipped in BLFS 10.0, and in 2.2.22. This vulnerability will trigger whenever a key with preference lists for the AEAD algorithms is loaded, and can be exploited. Update to GnuPG-2.2.23 or later. 10.0-007
gnome-autoar
10.0 089 gnome-autoar Date: 2021-02-12 Severity: Medium
gnome-autoar before 0.3.0 was vulnerable to a directory traversal vulnerability due to insufficent checks on symbolic links. Update to gnome-autoar-0.3.0 or later. 10.0-089
GnuTLS
10.0 003 GnuTLS Date: 2020-09-03 Severity: High
A null-pointer dereference causing a remotely-triggered crash in the client application was found. Update to GnuTLS-3.6.15 or later. 10.0-003
GPTfdisk
10.0 074 GPTfdisk Date: 2021-01-26 Severity: Medium
In GPTfdisk before version 1.0.6, in rare cases an improperly formatted MBR partition table could lead to arbitrary code execution when running gdisk or cgdisk. To fix this update to GPTfdisk-1.0.6 or later. 10.0-074
The Gstreamer Stack
10.0 026 The Gstreamer stack Date: 2020-10-27 Severity: High
Emergency releases of Gstreamer-1.18.1 packages, and also of 1.16.3, were made to fix several vulnerabilities. 10.0-026
ImageMagick
10.0 067 ImageMagick Date: 2021-01-14 Severity: High
Two vulnerabilities were found in ImageMagick, a division by zero causing Denial of Service, and the -authenticate option to set a password for password-protected PDF files was not properly sanitized, allowing users to inject additional shell commands. 10.0-067
Intel Microcode
10.0 094 Intel Microcode Date: 2021-02-19 Severity: Medium
On Intel Skylake Xeon and Cascade Lake Xeon processors, an authenticated user can potentially enable information disclosure via local access via two vulnerabilites. To fix these, update affected machines to microcode-20210216 or later. 10.0-094
Jasper
10.0 084 JasPer Date: 2021-02-09 Severity: High
One vulnerability has been found in jasper-2.0.24. To fix it, update to JasPer-2.0.25 or later. 10.0-084
10.0 080 JasPer Date: 2021-02-04 Severity: High
BLFS had been using JasPer-2.0.14, not aware that the upsteam location had moved. In versions before Jasper-2.0.24 more than 25 vulnerabilities were present, mostly either causing a crash or otherwise rated as high. To fix these, update to JasPer-2.0.24 or later. 10.0-080
Jinja2
10.0 087 Jinja2 Date: 2021-02-12 Severity: Medium
In Jinja2 before 2.11.3, a denial-of-service attack was possible via a malformed regex string. This vulnerability exists from 0.0.1 all the way to 2.11.3. Update to Jinja2-2.11.3 or later. 10.0-087
JS78
10.0 072 JS78 Date: 2021-01-26 Severity: High
In the javascript code of firefox-78.7.0 there is a fix for a 'Use-after-poison' vulnerability leading to a potentially exploitable crash. To fix this, update to JS-78.7.0. 10.0-072
10.0 037 JS78 Date: 2020-11-16 Severity: High
Several vulnerabilities were found in firefox before 78.5.0, of which one was in the javascript (js/src) code. To fix this, update to JS-78.5.0 or later. 10.0-037
10.0 031 JS78 Date: 2020-11-09 Severity: Critical
An exploitable use-after-free was found in JS78 before 78.4.1. Update to JS-78.4.1 or later. 10.0-031
Kerberos
10.0 040 Kerberos 5 Date: 2020-11-19 Severity: High
A vulnerability in Kerberos 5 before krb5-1.18.3 allowed a Denial of Service to be triggered when decoding Kerberos protocol messages. 10.0-040
Libass
10.0 027 Libass Date: 2020-10-30 Severity: High
In Libass-0.14.0 there was a vulnerability from a signed integer overflow. To fix this, update to Libass-0.15.0 or later. 10.0-027
LibEXIF
10.0 045 LibEXIF Date: 2020-11-21 Severity: Critical
Three vulnerabilities were found in LibEXIF-0.6.22. To fix this, apply the libexif-0.6.22-security_fixes-1.patch until a later release is available. 10.0-045
Libgcrypt
10.0 085 Libgcrypt Date: 2021-02-10 Severity: High
In Libgcrypt-1.9.0 there is a heap-based buffer overflow. To fix this, update to libgcrypt-1.9.1 or later. 10.0-085
Libpcap
10.0 059 Libpcap Date: 2021-01-04 Severity: High
The changes file for Libpcap-1.10.0 mentions several security fixes. To apply these, update to Libpcap-1.10.0 or later. 10.0-059
LibX11
10.0 001 LibX11 Date: 2020-09-03 Severity: High
In libX11 an integer overflow and double-free was found. Update to libX11-1.6.12 or later. 10.0-001
LibXML2
10.0 044 LibXML2 Date: 2020-11-21 Severity: High
Three vulnerabilities leading to Denial of Service were found in LibXML2-2.9.10. 10.0-044
LXML
10.0 023 LXML Date: 2020-10-17 Severity: Medium
A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in the user's browser in the context of a vulnerable website. Update to LXML-4.6.2 or later. 10.0-023
MariaDB
10.0 029 MariaDB Date: 2020-11-04 Severity: Medium
Four CVE vulnerabilities were identified in MariaDB before version 10.5.7, update to mariadb-10.5.7 or later. 10.0-029
Mutt
10.0 068 Mutt Updated: 2021-01-25 Severity: Medium
In mutt through version 2.0.4 it was possible to cause a Denial of Service (the specific mailbox became unreadable) by sending a message with sequences of semicolons in RFC822 fields, causing large memory consumption. To fix this, update to mutt-2.0.5 or later. 10.0-068
10.0 046 Mutt Date: 2020-11-26 Severity: Medium
Mutt before version 2.0.2 had incorrect error handling when initially connecting to an IMAP server, which could result in an attempt to authenticate without enabling TLS. To fix this, update to mutt-2.0.2 or later. 10.0-046
Node.js
10.0 101 Node.js Date: 2021-02-26 Severity: High
In Node.js before 14.16.0, three high severity security vulnerabilities were discovered. One of them can lead to resource exhaustion, another is an integer overflow, and the other is a DNS rebinding attack. Update to v14.16.0 or later. 10.0-101
10.0 062 Node.js Date: 2021-01-05 Severity: High
In Node.js before 12.20.1, 14.15.4 a high security vulnerability (use after free, leading to Denial of Service or other exploits) as well as two medium security vulnerabilities were found. Update to v14.15.4 or later, or alternatively if remaining with the v12 series update to v12.20.1 or later. 10.0-062
10.0 038 Node.js Date: 2020-11-19 Severity: High
An attacker could cause a Denial of Service via a DNS request for a host of their choice which resulted in an unexpectedly large number of responses. Update to v14.15.1 or later, or if remaining with the v12 series update to v12.19.1 or later. 10.0-038
10.0 012 Node.js Date: 2020-09-17 Severity: High
Multiple security vulnerabilities were discovered in Node.js, including two marked as High. Update to Node.js-12.18.4 or later. 10.0-012
NSS
10.0 022 NSS Date: 2020-10-17 Severity: High
A vulnerability in CSS handling, which could allow a remote attacker to cause a denial of service for servers linked against NSS, was discovered. Update to NSS-3.58 or later. 10.0-022
OpenJPEG
10.0 058 OpenJPEG Date: 2020-12-15 Severity: High
In OpenJPEG before 2.4.0 there are two vulnerabilities rated as high (heap-based buffer overflows) and two rated as Medium (crashes on crafted files) as well as several other security fixes. 10.0-058
P11-Kit
10.0 054 P11-Kit Date: 2020-12-15 Severity: High
In P11-Kit up to 0.23.21 there are multiple integer overflows in the array allocatons, and a heap-based buffer overflow. Update to p11-kit-0.23.22 or later. 10.0-054
Perl
10.0 077 Perl (using cpan) Date: 2021-01-30 Severity: High
If you use the 'cpan' command to build perl modules, the perl.com domain was stolen and is currently hosted at an address associated with malware. Anyone who uses the 'cpan' command should ensure that www.cpan.org is used to provide the urllist. 10.0-077
PHP
10.0 083 PHP Updated: 2021-02-07 Severity: Medium
In PHP before versions 7.4.15, 8.0.2, according to Arch PHP will crash with a SIGSEGV via null-pointer dereference whenever an XML is provided to the SoapClient query() function without an existing field. To fix this, update to PHP-8.0.2 or later (or 7.4.15 or later if using the old series). 10.0-083
10.0 064 PHP Upated: 2021-02-04 Severity: Medium
In PHP before 7.4.14, 8.0.1 FILTER_VALIDATE_URL accepts URLs with invalid userinfo. To fix this, update to PHP-8.0.1 or later (or 7.4.14 if later if using the old series). 10.0-064
10.0 019 PHP Date: 2020-10-05 Severity: Medium
PHP before 7.4.11 had two CVE vulnerabilities. To fix these, update to PHP-7.4.11 or later. 10.0-019
Poppler
10.0 061 Poppler Updated: 2021-02-04 Severity: Disputed
A high severity heap-based buffer overflow via a crafted PDF was reported against Poppler-20.12.1, but later reports indicate that this only applies to Poppler git clones in late December 2020 (which might be used by third-party projects). For BLFS no action is now necessary. 10.0-061
PostgreSQL
10.0 034 PostgreSQL Date: 2020-11-12 Severity: High
A number of vulnerabilities were fixed in PostgreSQL-13.1. Update to postgresql-13.1 or later. 10.0-034
10.0 090 PostgreSQL Date: 2021-02-12 Severity: Medium
Two vulnerabilities were fixed in PostgreSQL-13.2 that could lead to unauthorized users acquiring data from a database. Update to postresql-13.2 or later. 10.0-090
Python
10.0 097 Python (LFS and BLFS) Date: 2021-02-22 Severity: Critical
Python-3.9.2 fixes two security vulnerabilities, one marked as critical and the other as medium. The critical vulnerability can result in remote code execution. Update to Python-3.9.2 or later. 10.0-097
10.0 051 Python (LFS and BLFS) Date: 2020-12-15 Severity: High
Python-3.9.1 includes three security fixes. Update to Python-3.9.1 or later. 10.0-051
Qt5 and QtWebEngine
10.0 042 Qt5 and QtWebEngine Date: 2020-11-20 Severity: Critical
The release of QtWebEngine-5.15.2 pulled in many more CVE fixes from Chrome, of which four were 0day fixes. The rest of Qt5 includes many bug fixes, some of which include heap buffer overflows. Update to at least Qt-5.15.2 and QtWebEngine-5.15.2. 10.0-042
10.0 011 Qt5 and QtWebEngine Date: 2020-09-10 Severity: Critical
Many security vulnerabilities were discovered in Qt5-5.15.0 and QtWebEngine. Update to at least Qt-5.15.1 and QtWebEngine-5.15.1. 10.0-011
Raptor
10.0 035 Raptor Date: 2020-11-13 Severity: High
A heap overflow vulnerability in Raptor can lead to an out-of-boundsi write. Patch raptor-2.0.15 with the security_fiexs-1.patch since upstream is inactive. 10.0-035
Ruby
10.0 020 Ruby Date: 2020-10-06 Severity: High
The bundled WEBrick HTTP server in ruby before 2.7.2 had a vulnerability which could lead to an HTTP Request Smuggling attack. Update to ruby-2.7.2 or later. 10.0-020
Samba
10.0 028 Samba Date: 2020-10-30 Severity: Medium
Three CVE vulnerabilities were identified in Samba before version 4.13.1, Update to 4.13.1 or later. 10.0-028
10.0 013 Samba Date: 2020-09-26 Severity: Critical
A critical security vulnerability in Samba was discovered, dubbed "ZeroLogon". This vulnerability classifies as an authentication bypass, and is rated a 10.0 on the CVSSv3 scale. Update to Samba-4.12.7 or later. 10.0-013
Screen
10.0 096 Screen Date: 2021-02-19 Severity: Critical
In screen-4.8.0, a security vulnerability was found that could potentially lead to shell injection or a denial-of-service via processing a crafted UTF-8 character sequence. This was originally discovered being used to compromise Minecraft servers. Apply the patch in the advisory to Screen and recompile it. 10.0-096
Seamonkey
10.0 069 Seamonkey Updated: 2021-01-26 Severity: Critical
Fixes from firefox-78.4.1 to 78.6.0, and from thunderbird-78.6.0 were included in seamonkey-2.53.6. Update to seamonkey-2.53.6 or later. 10.0-069
10.0 032 Seamonkey Updated: 2020-11-15 Severity: Critical
The javascript vulnerability in JS-78-4.1 and firefox-78.4.1 also applies to seamonkey-2.53.4. Update to seamonkey-2.53.5 or later. 10.0-032
10.0 015 Seamonkey Date: 2020-09-23 Severity: Critical
Security fixes from firefox-60.6 up to firefox ESR-78.1 were included in Seamonkey-2.53.4. Update to Seamonkey-2.53.4 or later. 10.0-015
Stunnel
10.0 021 Stunnel Date: 2020-10-16 Severity: High
In Stunnel-5.57 the "redirect" option was fixed to properly handle "verifyChain = yes". Update to stunnel-5.57 or later 10.0-021
Subversion
10.0 086 Subversion Date: 2021-02-10 Severity: Medium
In Subversion before 1.14.1, there exists a remotely exploitable denial-of-service vulnerability that does not require authentication. This vulnerability can also cause the HTTPD webserver to crash. Update to Subversion-1.14.1 or later. 10.0-086
Sudo
10.0 073 Sudo Date: 2021-01-26 Severity: Critical
In Sudo before 1.9.5p2 the 'Baron Samedi' exploit allows privilege escalation. Update to 1.9.5p2 or later. 10.0-073
10.0 065 Sudo Updated: 2021-02-04 Severity: High
In Sudo before 1.9.5 there are two privilege escalation vulnerabilities, one marked as High. 10.0-065
systemd
10.1 081 systemd (LFS and BLFS) Date: 2021-07-23 Severity: High
In systemd-220 and later, a security vulnerability exists that will allow for a local attacker to crash your system by mounting a FUSE filesystem that with a file path longer than 8MB present. The crash occurs when reading /proc/self/mountinfo, and manifests itself as a kernel panic due to PID1 (init) crashing. Because fo the changes coming in LFS 11.0, updating to systemd-249 (with the patch) is not feasible. However, a patch has been created for LFS 10.0/systemd-246. See the advisory linked for more information. The patch replaces the current systemd-246-security_fix-1.patch. 10.1-081
10.1 072 systemd (LFS and BLFS) Date: 2021-07-09 Severity: Moderate
systemd-249 fixed a security vulnerability that could allow for a remote attacker to reconfigure the network settings on your computer. Because of it's severity and the ease of exploitation, a patch has been prepared for LFS 10.0/systemd-246. See the advisory linked for more information. 10.1-072
Taglib
10.0 092 Taglib Date: 2021-02-15 Severity: Medium
In taglib-1.11.1, a security vulnerability was found that could allow for information disclosure via a crafted OGG file. Update to taglib-1.12 or later. See 10.0-092.
Thunderbird
In general, flaws in Mozilla advisories for Thunderbird cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
10.0 100 Thunderbird Date: 2021-02-24 Severity: High
In thunderbird before 78.8.0 there were three vulnerabilities rated as High. To fix these update to Thunderbird-78.8.0 or later. 10.0-100
10.0 078 Thunderbird Date: 2021-01-31 Severity: High
In thunderbird before 78.7.0 there were various vulnerabilities rated as High. To fix these update to Thunderbird-78.7.0 or later. 10.0-078
10.0 066 Thunderbird Date: 2021-01-12 Severity: Critical
In thunderbird before 78.6.1 a malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. To fix this update to Thunderbird-78.6.1 or later. 10.0-066
10.0 056 Thunderbird Date: 2020-11-19 Severity: Critical
Several vulnerabilities were fixed in Thunderbird-78.6.0, one was rated as Critical. To fix these update to Thunderbird-78.6.0 or later. 10.0-056
10.0 041 Thunderbird Date: 2020-11-19 Severity: High
Several vulnerabilities were fixed in Thunderbird-78.5.0, two were rated High. To fix these update to thunderbird-78.5.0 or later. 10.0-041
10.0 033 Thunderbird Date: 2020-11-10 Severity: Critical
The javascript vulnerability fixed in firefox-78.4.1 also applies to thunderbird. To fix this update to thunderbird-78.4.2 or later. 10.0-033
10.0 025 Thunderbird Date: 2020-10-23 Severity: High
Three vulnerabilities rated as High were fixed in thunderbird-78.4.0. To fix these update to thunderbird-78.4.0 or later. 10.0-025
10.0 016 Thunderbird Updated: 2020-09-25 Severity: High
Five vulnerabilities were fixed in thunderbird-78.3.0 including a memory safety bug rated as High. But users of that version of thunderbird reported numerous crashes. To fix the vulnerabilities and the crashes update to thunderbird-78.3.1 or later. 10.0-016
Unbound
10.0 047 Unbound Updated: 2020-12-05 Severity: Medium
Unbound up to and including version 1.12.0 contains a local vulnerability that would allow for a local symlink attack. 10.0-047
VLC
10.0 075 VLC Media Player Date: 2021-01-30 Severity: High
In VLC Media Player up to and including version 3.0.11 a remote user could create a speciaaly crafted file or stream that would lead to crashes and potential information leakage, or perhaps arbitrary code execution. 10.0-075
Vorbis Tools
10.0 070 Vorbis Tools Updated: 2021-01-26 Severity: High
Three vulnerabilities in Vorbis Tools 1.4.0 could cause crashes. To fix these update to vorbis-tools-1.4.2 or later. 10.0-070
WebKitGTK
10.0 091 WebKitGTK Date: 2021-02-15 Severity: High
A vulnerability that leads to arbitrary code execution when processing some forms of multimedia was found in WebKitGTK. To fix this, upgrade to webkitgtk-2.30.5 or later. 10.0-091
10.0 043 WebKitGTK Date: 2020-11-25 Severity: High
Five vulnerabilities rated as High were found in WebKitGTK. To fix these upgrade to webkitgtk-2.30.3 or later. 10.0-043
Wireshark
10.0 076 Wireshark Date: 2021-01-30 Severity: High
Wireshark up to 3.4.2 had vulnerabilities for a memory leak and a crash. To fix these update to Wireshard-3.4.3 or later. 10.0-076
10.0 057 Wireshark Updated: 2021-02-04 Severity: Invalid
A Medium Security Advisory for a crash in Wireshark 3.4.0 and 3.4.1 was raised and allocated a CVE, but it was later determined that the bug was not present in any released version of Wireshark. No action is necessary. 10.0-057
10.0 055 Wireshark Date: 2020-09-23 Severity: High
Four Medium Security Advisories which could cause Wireshark to crash were fixed in Wireshark-3.4.1, but in addition the editors had overlooked a High severity item fixed in Wireshark-3.4.0. To fix all of these, update to Wireshark-3.4.1 or later. 10.0-055
10.0 017 Wireshark Date: 2020-09-23 Severity: High
Three Security Advisories (wnpa-sec-2020-11,12,13) were fixed in Wireshark-3.2.7, detailed at Wireshark Security. To fix these, update to wireshark-3.2.7 or later. 10.0-017
Xorg-Server
10.0 048 Xorg-Server Date: 2020-12-05 Severity: High
In Xorg-Server before version 1.20.10 two input validation failures in X server extensions were found. These can lead to local privilege escalations (to root) if the X server is running privileged. Update to Xorg-Server-1.20.10 or later. 10.0-048
10.0 002 Xorg-Server Date: 2020-09-03 Severity: High
In Xorg-Server before version 1.20.9 several input validation failures in X server extensions were found. These can lead to local privilege escalations (to root) if the X server is running privileged. Update to Xorg-Server-1.20.9 or later. 10.0-002
xterm
10.0 088 xterm Date: 2021-02-12 Severity: Medium
In xterm before 366, a denial of service vulnerability was found that could lead to a crash with certain UTF-8 characters. Update to xterm-366 or later. 10.0-088